Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.1.0.CR1
Affects Version/s: 7.1.0.ER2
Component/s: Security, Undertow
Labels:
- wildfly-openssl

Affects:

Documentation (Ref Guide, User Guide, etc.)
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly/wildfly-openssl/commit/318a919ea3b6d032e6ffd6fb23c1192772a849c7
Steps to Reproduce:
Hide

We need to have an EAP worker and an EAP proxy servers:

worker
unzip EAP
generate neccessary keystores in standalone/configuration directory:
EAP - worker

keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret

configure two-way ssl in EAP CLI:

/subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true) batch /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch

proxy
copy client.keystore.jks and client.truststore.jks from EAP - worker to EAP - proxy standalone/configuration directory
Configure two way ssl in EAP CLI:
EAP - proxy

/subsystem=elytron/key-store=twoWayKS:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true) batch /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch

Configure reverse-proxy in EAP CLI:

/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443) /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSC,scheme=https) /subsystem=undertow/server=default-server/host=default-host/location=\/proxy:add(handler=my-proxy)

start EAP - worker

./bin/standalone.sh

start EAP - proxy

./bin/standalone.sh -Djboss.socket.binding.port-offset=1000

import certificate to your client (beware - with this configuration you actually want to import server.p12)

perform request to https://localhost:9443/proxy

see 503 - Service Unavailable response from proxy
Show
We need to have an EAP worker and an EAP proxy servers: worker unzip EAP generate neccessary keystores in standalone/configuration directory: EAP - worker keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret configure two-way ssl in EAP CLI: /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch proxy copy client.keystore.jks and client.truststore.jks from EAP - worker to EAP - proxy standalone/configuration directory Configure two way ssl in EAP CLI: EAP - proxy /subsystem=elytron/key-store=twoWayKS:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch Configure reverse-proxy in EAP CLI: /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443) /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSC,scheme=https) /subsystem=undertow/server= default -server/host= default -host/location=\/proxy:add(handler=my-proxy) start EAP - worker ./bin/standalone.sh start EAP - proxy ./bin/standalone.sh -Djboss.socket.binding.port-offset=1000 import certificate to your client (beware - with this configuration you actually want to import server.p12) perform request to https://localhost:9443/proxy see 503 - Service Unavailable response from proxy

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Reverse proxy in Undertow does not work with OpenSSL provider configured. Follow Steps to Reproduce section to configure and check error. On proxy there is following exception logged:

18:27:26,640 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-12) The version of SSL in use does not support cipher ordering
18:27:26,642 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /proxy for path /proxy
18:27:26,643 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-12) The version of SSL in use does not support cipher ordering
18:27:26,644 DEBUG [io.undertow.request] (default I/O-12) Failed to connect: java.io.IOException: java.lang.UnsupportedOperationException
        at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:328)
        at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:306)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:330)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
Caused by: java.lang.UnsupportedOperationException
        at org.wildfly.openssl.OpenSSLEngine.setUseClientMode(OpenSSLEngine.java:1062)
        at org.xnio.ssl.JsseSslUtils.createSSLEngine(JsseSslUtils.java:148)
        at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:321)
        ... 4 more

Worker does not log anything important. When standard jsse provider is configured on proxy

/subsystem=elytron/server-ssl-context=twoWaySSC:undefine-attribute(name=providers)

proxying starts to work and one can see EAPs welcome page.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

reverse-proxy-reproducer.zip
26 kB
2017/07/25 4:42 PM

is related to

JBEAP-11599 OpenSSL client ignores certificate validation result

Closed

Assignee:: Jan Kalina (Inactive)

Reporter:: Jan Stourac

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2017/07/24 12:43 PM

Updated:: 2024/09/02 3:21 PM

Resolved:: 2017/08/29 6:29 AM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates